Snort - VPN - P2P-ruleset



  • Hi everybody!

    I experienced with pfSense 2.1 and snort (different versions installed since NOV-2013) an issue with VPN tunnels (from pfSense to pfSense, a total of 3 appliances).  After 2-3 min of heavy load (ftp, samba) on the tunnel (IPsec or openVPN, doesn't matter which), the connection broke and the tunnel was gone.

    I tried several things, changed tunnel from initial IPsec to openVPN etc. pp. but finally and in the end I found that the tunnels were killed by funny little snort, P2P ruleset, several rules around eMule. After turning off this ruleset, the tunnels work fine and never ever again broke under load.

    Has anybody else experienced this before or has an explanation for this bug/feature?

    Kind regards!



  • Yep, happened to me. Well the vpn wasn't blocked because I have the remote host added to the $home_net, but it was triggering an alert.

    1:2003310 ET P2P Edonkey Publicize File